Cheap Doorbell Cameras Can Be Easily Hijacked, Says Consumer Reports (arstechnica.com) 23
An anonymous reader quotes a report from Ars Technica: Video doorbell cameras have been commoditized to the point where they're available for $30-$40 on marketplaces like Amazon, Walmart, Temu, and Shein. The true cost of owning one might be much greater, however. Consumer Reports (CR) has released the findings of a security investigation into two budget-minded doorbell brands, Eken and Tuck, which are largely the same hardware produced by the Eken Group in China, according to CR. The cameras are further resold under at least 10 more brands. The cameras are set up through a common mobile app, Aiwit. And the cameras share something else, CR claims: "troubling security vulnerabilities."
Among the camera's vulnerabilities cited by CR:
- Sending public IP addresses and Wi-Fi SSIDs (names) over the Internet without encryption
- Takeover of the cameras by putting them into pairing mode (which you can do from a front-facing button on some models) and connecting through the Aiwit app
- Access to still images from the video feed and other information by knowing the camera's serial number.
CR also noted that Eken cameras lacked an FCC registration code. More than 4,200 were sold in January 2024, according to CR, and often held an Amazon "Overall Pick" label (as one model did when an Ars writer looked on Wednesday). CR issued vulnerability disclosures to Eken and Tuck regarding its findings. The disclosures note the amount of data that is sent over the network without authentication, including JPEG files, the local SSID, and external IP address. It notes that after a malicious user has re-paired a doorbell with a QR code generated by the Aiwit app, they have complete control over the device until a user sees an email from Eken and reclaims the doorbell. "These video doorbells from little known manufacturers have serious security and privacy vulnerabilities, and now they've found their way onto major digital marketplaces such as Amazon and Walmart," said Justin Brookman, director of tech policy at Consumer Reports, in a statement. "Both the manufacturers and platforms that sell the doorbells have a responsibility to ensure that these products are not putting consumers in harm's way."
Among the camera's vulnerabilities cited by CR:
- Sending public IP addresses and Wi-Fi SSIDs (names) over the Internet without encryption
- Takeover of the cameras by putting them into pairing mode (which you can do from a front-facing button on some models) and connecting through the Aiwit app
- Access to still images from the video feed and other information by knowing the camera's serial number.
CR also noted that Eken cameras lacked an FCC registration code. More than 4,200 were sold in January 2024, according to CR, and often held an Amazon "Overall Pick" label (as one model did when an Ars writer looked on Wednesday). CR issued vulnerability disclosures to Eken and Tuck regarding its findings. The disclosures note the amount of data that is sent over the network without authentication, including JPEG files, the local SSID, and external IP address. It notes that after a malicious user has re-paired a doorbell with a QR code generated by the Aiwit app, they have complete control over the device until a user sees an email from Eken and reclaims the doorbell. "These video doorbells from little known manufacturers have serious security and privacy vulnerabilities, and now they've found their way onto major digital marketplaces such as Amazon and Walmart," said Justin Brookman, director of tech policy at Consumer Reports, in a statement. "Both the manufacturers and platforms that sell the doorbells have a responsibility to ensure that these products are not putting consumers in harm's way."
there is this same exact subject 2 posts down (Score:5, Insightful)
Seriously slashdot?
Re:there is this same exact subject 2 posts down (Score:5, Insightful)
Yes.
Why would you expect the /. editors to start reading the site?
Re:there is this same exact subject 2 posts down (Score:4, Insightful)
Re: (Score:2)
Yes.
Why would you expect the /. editors to start reading the site?
Reading their own site would take away from their other job ... moderating Reddit forums
Re: (Score:3)
"What I tell you three times is truth!" So /. is still one count too low.
Re: (Score:3)
dude, one was from msmash and the other from beauhd. if you don't see the difference that's on you!
besides, yes: this site is fed by a few randos who are at home scanning lists and regurgitating anything they deem vaguely curious to the stream. straight away, furiously live, meaning with zero research/checking/editing/screening/discussing/planning/setting. they don't even communicate with each other. that is all it takes to rake in $$$ from advertisements thanks to old (and vanishing) prestige. or thanks to
Re: (Score:2)
So what about the dupe comments, all finding marginally different ways to say "this story is a dupe"? It is not just the /. editors who are not reading the site, it appears a lot of the readers are behaving the same way.
Btw (Score:4, Funny)
Cheap Doorbell Cameras Can Be Easily Hacked fyi
Re: (Score:3)
Cheap Doorbell Cameras Can Be Easily Hacked fyi
Popular ones can be too [slashdot.org]
Re: (Score:2)
Cheap Doorbell Cameras Can Be Easily Hacked fyi
Yeah, I heard this somewhere.
Re:Btw (Score:5, Funny)
I thought this story rang a bell.
The Duplicate Article winner, 2024 (Score:2)
Publishing the same story twice helps make sure we all see it. Fantastic work, keep it up.
You can say that again (Score:2)
Oops vs PSA dept (Score:1)
The dupe should've been from the oops dept.
Slashdot Feature Request (Score:2)
Once an article is recognized as a dupe, comments from both articles should appear in each other. :-)
Duplication mitigation strategy (Score:2)
A random Slashdotter made a suggestion: once articles are recognized as duplicates, comments from both article should auto-magically cross-posted to the others. :-)
So people can access all relevant discussion (and spam) in one place.
Leap Day? (Score:2)
I'm sure they meant to dupe on two different days as always.
Important question for Slashdot (Score:2)
I need to know if my cheap doorbell cam can be easily hacked? I have searched and searched, can't find anything on this topic
I Won't Believe this Story... (Score:2)
In related news (Score:3)
Cheap Slashdot editors can be easily duped
They should stop with these stories (Score:2)
Cheap X product has serious faws (Score:2)
Duh! What o you expect, for CHEAP?